On paper, the Digital Operational Resilience Act looks like a regulation aimed at banks. In practice, it reaches far wider – covering payment institutions, insurance companies, crypto-asset service providers, and the ICT third-party vendors that serve all of them. If your organisation operates in financial services or supplies technology to a regulated entity, the question is not whether DORA applies. The question is whether you are already behind.

The Digital Operational Resilience Act (DORA) – Regulation (EU) 2022/2554 – became directly applicable across all EU member states, including Poland, on 17 January 2025. It requires financial entities and their critical ICT providers to meet binding standards on risk management, incident reporting, resilience testing, and third-party oversight. Entities that missed the deadline face supervisory action by the Polish Financial Supervision Authority (KNF) and, in serious cases, personal liability of management board members.

This alert sets out which entities must comply, what the key thresholds are, and which immediate steps reduce exposure. The structure is: scope of application, then action items with deadlines.

Which entities does DORA cover?

DORA's scope is deliberately broad. The regulation covers credit institutions, payment institutions, electronic money institutions, investment firms, insurance and reinsurance undertakings, crypto-asset service providers, and central securities depositories – among others. In Poland, the Polish Financial Supervision Authority (KNF) and the National Bank of Poland (NBP) are the primary supervisory bodies responsible for enforcement. Entities registered in the National Court Register (KRS) that fall within any of these categories must comply in full.

ICT third-party service providers are also directly affected. If your company supplies cloud computing, data analytics, or software services to a financial entity, DORA requires that your contracts meet specific resilience and audit standards. Failure to include mandatory contractual clauses – covering exit strategies, audit rights, and incident notification – exposes both the financial entity and the vendor to supervisory scrutiny.

One important carve-out exists. Microenterprises – defined as entities with fewer than 10 employees and annual turnover below EUR 2 million – benefit from a simplified regime. They are still within scope, but certain requirements (notably advanced penetration testing) do not apply. This threshold matters for smaller Polish fintech operators and niche payment service providers.

What are the core compliance obligations and deadlines?

The 17 January 2025 application date was not a grace period – it was the hard deadline. Entities that have not yet established an ICT risk management framework, defined incident classification criteria, or mapped their third-party ICT dependencies are already non-compliant. The KNF has signalled active supervisory engagement with the sector throughout 2025 and into 2026.

Four obligations carry the highest immediate risk. First, ICT risk management frameworks must be documented and board-approved. Second, major ICT incidents must be reported to the KNF within 4 hours of classification and a full report submitted within 72 hours. Third, contracts with critical ICT third-party providers must be reviewed and updated to include DORA-mandated clauses. Fourth, digital operational resilience testing – including threat-led penetration testing (TLPT) for significant entities – must be conducted at least every 3 years.

  • ICT risk management framework – board-approved documentation required now
  • Incident reporting – initial notification to KNF within 4 hours of classification
  • Third-party contract review – mandatory clauses covering audit rights and exit plans
  • Resilience testing – TLPT cycle of at least every 3 years for significant entities
  • Register of ICT third-party arrangements – maintained and available for supervisory inspection

We secured a full contractual remediation for a fintech client in the Mazowieckie region (winter 2025), updating over 30 ICT vendor agreements to meet DORA standards before the KNF's first supervisory review cycle. The exercise revealed gaps that the client's internal team had not identified during initial scoping.

What should your organisation do right now?

Non-compliance with DORA is not a theoretical risk. Supervisory powers under the regulation include binding recommendations, public disclosure of breaches, and – for critical ICT third-party providers – fines of up to EUR 5 million per violation. Management board members of financial entities can face personal liability where governance failures contributed to the breach. That consequence is irreversible once a supervisory decision is issued.

The immediate priority is a gap analysis. Map your entity type against the DORA scope categories, identify which obligations apply at full or simplified level, and assess whether your current ICT risk documentation, incident response procedures, and vendor contracts meet the standard. This analysis should be completed within 30 days if it has not already been done.

Cross-border considerations add a further layer. Polish entities that transfer operational data to processors in other EU jurisdictions – or outside the EU – must align DORA obligations with data transfer requirements under Polish and EU law. GDPR Poland obligations and DORA incident reporting duties can overlap when a breach involves personal data. Similarly, entities with operations in Cyprus or other EU states should review cross-border data transfer mechanisms from Poland to Cyprus to ensure vendor contracts are consistent across jurisdictions.

We assisted a Warsaw-based insurance group (spring 2025) in mapping DORA obligations across four EU subsidiaries, identifying a critical gap in their cloud provider contracts that would have triggered supervisory notification requirements. Early identification allowed remediation without regulatory exposure.

One further point: DORA sits alongside, not instead of, other regulatory frameworks. The AI Act Poland obligations for AI-driven decision systems used by financial entities, trademark and IP considerations for proprietary fintech software, and the requirements applicable to an IP lawyer Warsaw advising on technology licensing all intersect with DORA's scope. A siloed compliance approach – treating DORA as a standalone IT project – routinely produces gaps. For entities whose infrastructure touches physical data centre locations subject to Polish planning and zoning rules, even site-selection decisions can carry regulatory implications.

The checklist below summarises the minimum steps for any in-scope entity:

  • Confirm entity classification and applicable DORA tier (full or simplified)
  • Complete an ICT risk management gap analysis within 30 days
  • Review and update all ICT third-party contracts for mandatory clauses
  • Establish an incident classification and 4-hour reporting procedure

Specific situations require tailored assessment. The interaction between DORA obligations, GDPR Poland requirements, and existing contractual frameworks is rarely straightforward.

To receive an expert assessment of your DORA compliance position and a prioritised remediation plan, contact info@kordeckipartners.com.

Frequently asked questions

Q: Does DORA apply to Polish companies that only provide software to banks, not financial services themselves?

A: Yes, in part. ICT third-party service providers are within DORA's scope when they supply services to financial entities. The regulation requires that contracts between financial entities and their ICT vendors include specific clauses on audit rights, incident notification, and exit strategies. Vendors that are designated as "critical" by EU supervisory authorities face additional direct oversight obligations, including the right of regulators to conduct on-site inspections.

Q: What is the timeline for TLPT testing, and does it apply to all entities?

A: Threat-led penetration testing (TLPT) applies to significant financial entities – generally those identified by the KNF based on systemic importance. The required cycle is at least once every 3 years. Smaller entities and those in the simplified regime are not required to conduct TLPT, but they must still carry out basic resilience testing appropriate to their size and risk profile. The KNF has not yet published a definitive list of entities subject to TLPT in Poland.

Q: Is it a misconception that DORA only covers cybersecurity incidents?

A: Yes, that is a common misconception. DORA covers all ICT-related operational disruptions – including system outages, data integrity failures, and third-party service interruptions – not only security breaches. The incident classification and reporting framework applies to any event that materially impacts the continuity of critical or important functions, regardless of whether a malicious actor was involved.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to technology regulation, DORA compliance, and digital operational resilience. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.